Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Issues with VPN - ASA5520 to Sidewinder

I am having an issue where occasionally the Sidewinder starts to see my internal RFC 1918 address instead of the configured external address of my firewall. This is for peering between the two. The error they see on the Sidewinder is:

Apr  3 07:50:53 2012 MDT  f_kernel_ipsec a_vpn t_attack p_major

pid: 0 ruid: 0 euid: 0 pgid: 0 logid: 0 cmd: 'kernel'

domain: (null) edomain: (null) hostname: OIT_FW_690P.state.co.us

category: policy_violation event: IPsec policy mismatch srcip: 206.67.211.181

dstip: 10.9.2.27 protocol: 50 srcburb: ACS_VPN_Virtual interface: em12

vpn_name: ACS_VPN local_net: 10.9.2.21/32 remote_net: 206.67.211.181/32

remote_id: 10.220.3.18 information: ipsec:policy_mismatch:2

reason: The Sidewinder dropped an inbound IPsec packet because it does not match IPsec policy.

So instead of seeing the external peer address he sees a 10.220.3.18 address. We are not sure what triggers this becuase normally he see's my

63.117.98.222 address.

1 REPLY
New Member

Issues with VPN - ASA5520 to Sidewinder

I guess the question is why does this happen? We added my internal IP to the interesting traffic on his end. Does this have anything to do with NAT-T or something to do with the identity address configured on the Sidewinder.

327
Views
0
Helpful
1
Replies